[dns-operations] (In)correct handling of wildcard NS at zone apex.

Viktor Dukhovni ietf-dane at dukhovni.org
Sat May 26 05:54:09 UTC 2018

> On May 26, 2018, at 12:41 AM, Robert Edmonds <edmonds at mycre.ws> wrote:
>> n interesting edge-case is mishandled by the nameservers at
>> nazwa.pl.  They seem to have a few customers with signed zones
>> that are empty apart from a wildcard NS just below the zone
>> apex.
> Aren't wildcard NSes formally undefined in the DNSSEC specification?

So it seems! Thanks for the text below, I hadn't seen it before:

> 4.2.  NS RRSet at a Wildcard Domain Name
>   With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now in
>   place, the semantics of a wildcard domain name owning an NS RRSet has
>   come to be poorly defined.  The dilemma relates to a conflict between
>   the rules for synthesis in part 'c' and the fact that the resulting
>   synthesis generates a record for which the zone is not authoritative.
>   In a DNSSEC signed zone, the mechanics of signature management
>   (generation and inclusion in a message) have become unclear.
>   [...]
>   With no clear consensus forming on the solution to this dilemma, and
>   the realization that wildcards of type NS are a rarity in operations,
>   the best course of action is to leave this open-ended until "it
>   matters".

Well, now it is starting to matter.  Nazwa.pl bulk-signed many of
their customer domains, including at least nine that had wildcard
NS RRs at the zone apex.  This causes "unbound" to ServFail TLSA
lookups for the domains, and so they won't get email from SMTP
senders that support DANE unless they either drop the wildcard
NS or disable DNSSEC. Three of domains seem to have working
mail hosts (SMTP connections time out for the other six).

For now not enabling DNSSEC on domains with a wildcard NS would
seem prudent.  The domains can be signed once the wildcard NS
RRs are removed.

Even if some suitable semantics for these were defined promptly
(unlikely) it would still take a long time for implementations
to catch up...  So this is something for signers to watch out
for.  Interesting that I'm only seeing this at nazwa.pl at


More information about the dns-operations mailing list